Microsoft scrambles as it patches 26 bugs, warns users of active attacks
Hectic, info-packed Patch Tuesday as software maker yanks update, patches worm-ready flaw and tells customers to get some fixes manually
Computerworld - Microsoft on Tuesday patched 26 vulnerabilities, including one in Internet Explorer (IE) that's already being exploited. The company also warned customers of a new zero-day attack and quashed yet another instance of a bug that the Duqu intelligence-gathering Trojan leveraged.
The software maker also ditched one security update at the last minute and substituted another in its place, probably because the second was more serious.
Of Tuesday's seven security updates, three were rated "critical," Microsoft's top-most threat ranking, while the other four were marked "important," the next-most-serious label.
The 26 vulnerabilities -- one more than Microsoft last week told users to expect -- included 10 critical, 14 important and two judged "moderate" in the company's four-step scoring system.
Independent researchers almost unanimously pegged MS12-037 as the update Windows users should grab first.
The 13-bug patch collection affects all versions of IE, including IE10 on Windows 8 Consumer Preview, the February sneak peak that was superseded by the Review Preview two weeks ago.
"It's always important to get an IE update deployed," said Jason Miller, manager of research and development at VMware, as he cited the browser's popularity, especially in business, and thus the huge number of possible victims.
Microsoft admitted that one of the baker's dozen was already being exploited by hackers, raising the importance of applying the update immediately. "Microsoft is aware of limited attacks attempting to exploit the vulnerability," stated the company's advisory, which divulged no other details of the ongoing exploits. The vulnerability affects only IE8, the 2009 version that remains the most widely used version of Microsoft's browser.
A second vulnerability patched by MS12-037 has been publicly disclosed, Microsoft said.
Also included in the 13 was a critical vulnerability that French firm Vupen Security exploited to hack IE9 at March's Pwn2Own contest, where researchers face off against browsers for cash prizes. For its efforts, which featured a hack not only of IE9 but also Google's Chrome, the Vupen team took home $60,000.
Last week, Andrew Storms, director of security operations at nCircle Security, bet that the Vupen bug would be patched this month. But Tuesday, he said it was too close to call between the IE update and a rival, MS12-036, for first-to-fix honors.
"Certainly, [MS12-036] makes it to the top of the worrisome list," said Storms.
That update, also rated critical, patches just one vulnerability in the Remote Desktop Protocol (RDP), a Windows component that lets users remotely access a PC or server. RDP is frequently used by corporate help desks, off-site users and IT administrators to manage servers at company data centers and those the enterprise farms out to cloud-based service providers.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Windows White Papers | Webcasts